CVE-2022-34321
Severity CVSS v4.0:
Pending analysis
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
12/03/2024
Last modified:
22/01/2025
Description
Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. The vulnerable endpoint exposes detailed statistics about live connections, along with the capability to modify the logging level of proxied connections without requiring proper authentication credentials.<br />
<br />
This issue affects Apache Pulsar versions from 2.6.0 to 2.10.5, from 2.11.0 to 2.11.2, from 3.0.0 to 3.0.1, and 3.1.0.<br />
<br />
The known risks include exposing sensitive information such as connected client IP and unauthorized logging level manipulation which could lead to a denial-of-service condition by significantly increasing the proxy&#39;s logging overhead. When deployed via the Apache Pulsar Helm chart within Kubernetes environments, the actual client IP might not be revealed through the load balancer&#39;s default behavior, which typically obscures the original source IP addresses when externalTrafficPolicy is being configured to "Cluster" by default. The /proxy-stats endpoint contains topic level statistics, however, in the default configuration, the topic level statistics aren&#39;t known to be exposed.<br />
<br />
2.10 Pulsar Proxy users should upgrade to at least 2.10.6.<br />
2.11 Pulsar Proxy users should upgrade to at least 2.11.3.<br />
3.0 Pulsar Proxy users should upgrade to at least 3.0.2.<br />
3.1 Pulsar Proxy users should upgrade to at least 3.1.1.<br />
<br />
Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions. Additionally, it&#39;s imperative to recognize that the Apache Pulsar Proxy is not intended for direct exposure to the internet. The architectural design of Pulsar Proxy assumes that it will operate within a secured network environment, safeguarded by appropriate perimeter defenses.
Impact
Base Score 3.x
8.20
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 2.6.0 (including) | 2.10.6 (excluding) |
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 2.11.0 (including) | 2.11.3 (excluding) |
cpe:2.3:a:apache:pulsar:*:*:*:*:*:*:*:* | 3.0.0 (including) | 3.0.2 (excluding) |
cpe:2.3:a:apache:pulsar:3.1.0:-:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.openwall.com/lists/oss-security/2024/03/12/8
- https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8
- https://pulsar.apache.org/security/CVE-2022-34321/
- http://www.openwall.com/lists/oss-security/2024/03/12/8
- https://lists.apache.org/thread/ods5tq2hpl390hvjnvxv0bcg4rfpgjj8
- https://pulsar.apache.org/security/CVE-2022-34321/